Schneier on Security

Clive Robinson • July 30, 2010 11:23 PM

Off topic,

@ Bruce,

Speaking of brass…

Have you seen this little “toys out of the pram” response to the SCADA .lnk attack vector incident,

“Retired General Michael Hayden, former director of the Nationa Security Agency, said Thursday [in his keynote speach at Blackhat] that one solution being discussed in government is to simply forget about trying to determine if the source of an attack is state-sponsored and hold nations responsible for malicious activity coming from their cyberspace.”

“Asked later for examples of what the consequences to a nation migh be, he suggested some kind of cyberexile, or a response that would thwart the flow of the internet from the suspect country in a way tha would slow their cybercommerce and ability to communicate”

[From Wired at http://www.wired.com/threatlevel/2010/07/hayden-at-blackhat/ ]

I know he works for Michael Chertoff (ex head of DHS) in the “Chertoff Group” these days so he is tard with the “war hawk” brush. But with comments like,

“Since the price of entry is so low, and … it’s difficult to prove state sponsorship, one of the thoughts … is to just be uninterested in that distinction and to actually hold states responsible for that activity emanating from their cyberspace”

“Whether you did [the attack yourself] or not, the consequences for that action [coming from your country] are the same.”

Good grief is he not listening to himself, if it’s so “difficult to prove state sponsorship” and “the price of entry is so low” any individual with the brains can do it, how on earth do you expect a Nation to stop it occuring either from within their state or being launched through their state from another state by a disenfranchised individual or criminal?

The only logical conclusion from his statment is for all International Internet connections to be pulled untill the state of software security is raised to point where “the cost” is effectivly as high as that of prosecuting conventional warfare…

Especially when he is very much aware that,

“You can never do anything in this domain without something going pop in [the physical world],” … “At the end of the day, it really isn’t a videogame and something’s going to happen in somebody’s physical space.”

And with regards to Cyber-Warfare,

“… the U.S. and international community haven’t made much progress in determining what would actually constitute an act of war in this domain”

Has he not draw the line between the dots and realise that a state that has a “real world” physical event from an “information” attack may just jump into a “real world” physical war?

Or maybe he has with his comment,

“Without going into great detail, we’re [the US] actually pretty good at this, and the Chinese aren’t the only ones doing this.”

What can you say except the old,

“Madness, compleat and utter madness”

Brian Krebs on the other hand has with,

http://krebsonsecurity.com/2010/07/microsoft-to-issue-emergency-patch-for-critical-windows-bug

Given a “round up” on the SCADA attack via the Microsoft .lnk attack vector and notes Microsoft’s apparent panicing with an “out of band emergancy patch” (schedualed for Monday morning).

It is some what “quaint” as the annual data breach report issued by the Verizon Business RISK team notes on “patching”,

“based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner. Many organizations treat patching as if it were had all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by weeks end but hadn’t even glanced at their log files in months.”

And go on in the “Of Needles and haystacks” side bar with,

“86 percent of all breaches last year could have been prevented if victim companies had simply looked for unusual paterns in the log files created by their web servers.”

Further they report that 85 percent of the breaches involved common configuration errors or weaknesses and did not require the exploitation of a flaw that could be fixed with a software patch. And apparently not one incident was reported where a patchable vulnerability was exploited…

Opps… so the use of an Open Source web vunerability scanner, to pick up the config errors and likewise an Open Source log file analyser would have prevented by far the majority of the reported attacks in 09…

Clive Robinson • August 3, 2010 11:17 PM

Off Topic

@ Bruce,

I don’t know if you have a look at the “new reports” page over on the GAO site?

But they have a new report out yesterday you and other readers of this blog might want to skim through. Titled,

“United States Faces Challenges in Addressing Globa Cybersecurity and Governance”

http://www.gao.gov/mobile/products/GAO-10-606

At fifty odd pages it’s short for a GAO report but it still has that bureaucratic turgidity that encorages somnambulism…